Issue setting up a Verisign certificate
I have generated a CSR, sent it to Verisign and they sent me back a cer file that I have renamed to public.crt. As per their support instructions I installed their Intermediate CA (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=contentid=AR193) My virtualhost configuration is as follows: SSLEngine on SSLCertificateFile /etc/apache2/public.crt SSLCertificateKeyFile /etc/apache2/private.key SSLCACertificateFile /etc/apache2/interm.crt I am getting this error when trying to start Apache: [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server certificate from file /etc/apache2/secure.canadaeast.com.public.crt [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Any thoughts, because I am at a loss and am not interested in wait on how 35 minutes to speak to their support people. Thanks! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
mod_ssl / mod_proxy interaction
in effort to eventually setup a secure apache reverse proxy for exchange 2000's OWA, i've run into the following dilemma per the mod-ssl docs, i had the following declared globally: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 and realised after much wailing and gnashing of teeth that that line caused the following (non-ssl) virtual host failed to operate correctly under IE: Listen 10.10.10.99:80 VirtualHost 10.10.10.99:80 ServerName webmail.gactr.uga.edu UseCanonicalNameOff CustomLog /tmp/webmail-trans.log combined ErrorLog/tmp/webmail-error.log RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ ProxyRequests Off ProxyVia Full ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPass /public/ http://webmail.gactr.uga.edu/public/ ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/ ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/ /VirtualHost So, I placed User-Agent config out of the global config and into each SSL config. Now, the exchange 2000 proxy (currently non-SSL) is correctly handled by IE. Obviously, though, I will be wanting to put this proxy behind SSL, which I've already determined will not work (using the mod_ssl recommended settings). Has anyone else run into a similar situation? Is there a reasonable work-around for this? -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 | fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl / mod_proxy interaction
-Authenticate: Basic realm=webmail.gactr.uga.edu 7 Content-Length: 24 8 Content-Type: text/html 9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26) 10 X-Cache: MISS from webmail.gactr.uga.edu 11 X-Cache: MISS from proxy.gactr.uga.edu 12 Proxy-Connection: close Unknown authentication scheme. -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 | fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL I/O error causing Page cannot be displayed in browser
Here is the combination that did the trick for us: SSLSessionCache shmcb:/usr/local/apache/logs/ssl_scache(1024000) SSLSessionCacheTimeout 600 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SetEnvIf .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Aaron Gee wrote: We tried that also. Below is a short list of the combinations and variations we have tried Notice some lines from the conf file do the same as others, just trying all possibilities the comments (#) in front are my addition. I have tried almost every iteration of the following to get SOMETHING to work. Tried all of the following. #SSLProtocol SSLv2 #SSLProtocol all -SSLv3 #SSLProtocol all #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Tried both of these: #SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown #SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Also tried these in various combinations with above: #SSLSessionCachenone #SSLSessionCacheshmht:logs/ssl_scache(512000) #SSLSessionCacheshmcb:logs/ssl_scache(512000) #SSLSessionCache shm:logs/ssl_scache(512000) #SSLSessionCacheshmht:logs/ssl_scache #SSLSessionCacheshmcb:logs/ssl_scache #SSLSessionCache shm:logs/ssl_scache #SSLSessionCacheTimeout 300 #SSLMutex file:logs/ssl_mutex AG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bryan Field-Elliot Sent: Tuesday, December 18, 2001 12:57 To: [EMAIL PROTECTED] Subject: RE: OpenSSL I/O error causing Page cannot be displayed in browser Sorry you already gave up, but I believe the lines below should fix your problem (in addition to the SetEnvIf line you already added): SSLSessionCache dbm:/var/ssl_cache SSLSessionCacheTimeout 300 (change the path in the first line to one which makes sense on your server) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Robin P. Blanchard IT Program Specialist Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
CNAME question/problem
the scenario: old webserver (www.blahblahblah.edu) had a verisign cert. our organization recently purchased www.blahblahblah.org and a corresponding thawte cert. we want to phase out www.blahblahblah.edu, entirely. i've setup mod_rewrite to rewrite www.blahblahblah.edu - www.blahblahblah.org ; but users can still access www.blahblahblah.edu as it points to the same IP address. they therefore get a broswer warning that the cert (www.blahblahblah.org) doesn't match the machine name they've requested (www.blahblahblah.edu). is there a way to force a canonical name? ie, listen on an ip address and force use of a machine name? -- Robin P. Blanchard IT Program Specialist Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl + mod_php4 segmentation faults
hey john -- off the top of my head, i believe that your php4 probably picked up on your system threads by default and was thus built with threads. you'll have to enable threads in apache also. rebuild apache with LDFLAGS="-lpthread" that *should* fix your problem (i had the same problem a while back) John Sutton wrote: Hi there After many days of grief... kernel 2.2.10 apache 1.3.14 mod_php4-4.0.3pl1 mod_ssl-2.7.1_1.3.14 The build proceeds fine (everything is built -DEAPI), and on a redhat 6.0 system (glibc-2.1.1) it kinda works. But I keep getting segfaults and the attempt to syntax check even a trivial apache conf file *always* segfaults: # httpd -T -f /etc/httpd/conf/try.conf Syntax OK Segmentation fault (core dumped) try.conf is: ServerRoot /etc/httpd LoadModule php4_module modules/libphp4.so ClearModuleList AddModule mod_php4.c ServerType standalone accessconfig /dev/null resourceconfig /dev/null (it doesn't get much simpler, huh!) If I rebuild apache without applying the mod_ssl patches and then rebuild php4 (i.e. without the EAPI), then everything is fine (except that then I've got no secure server!) On a redhat 5.2 sytem (kernel 2.2.3, glibc glibc-2.0.7) - which as Sod's Law would have it, is my live server - the situation is much worse. If I include php4 in the conf file, apache refuses to start at all. It just hangs, no output anywhere... mod_ssl + mod_php3-3.0.17 builds and runs fine on both platforms. Here is the build procedure I'm using with some detail: # Apply patches to apache cd mod_ssl-2.7.1-1.3.14 ./configure --with-apache=.. --with-eapi-only # Build and install apache cd .. ./configure --prefix=/usr \ --enable-module=all \ --enable-shared=max \ --enable-rule=EAPI \ --disable-rule=WANTHSREGEX make make install # Build mod_ssl, php3 and php4 cd mod_ssl-2.7.1-1.3.14 ./configure \ --with-apxs=/usr/sbin/apxs \ --with-ssleay=/usr/local/ssl cd php4-4.0.3pl1 ./configure --prefix=/usr \ --with-apxs=/usr/sbin/apxs \ --with-config-file-path=/usr/lib \ --enable-debug=no \ --enable-safe-mode \ --with-exec-dir=/usr/bin \ --with-mysql=/usr \ --with-regex=system \ --enable-versioning cd php3-3.0.17 ./configure --prefix=/usr \ --with-apxs=/usr/sbin/apxs \ --with-config-file-path=/usr/lib \ --enable-debug=no \ --enable-safe-mode \ --with-exec-dir=/usr/bin \ --with-mysql=/usr \ --with-system-regex \ --enable-versioning Getting desperate. Any help much appreciated! *** John Sutton SCL Computer Services URL http://www.scl.co.uk/ Tel. +44 (0) 1239 621021 *** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ---- Robin P. Blanchard Network Engineering Support Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
load-balancing question
could someone please point me to some information on how to setup mod_ssl to work in a hardware load-balanced configuration? meaning, how to allow mod_ssl to be installed across serveral servers with private IPs, that are load balanced by a device handling all http/https for a single real IP? -- Robin P. Blanchard Network Engineering Support Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache-1.3.14 fails to start with modssl-2.7.0 on IRIX65
i've had the exact same problem under intel linux-2.2.17. the server won't come up if SSLSessionCache is using shm; putting it back to dbm allows it work. something's awry with mm and mod_ssl-2.7.0 i think. Andrew Brady wrote: Trying out the new modssl/mm/apache/openssl and am getting the following error on startup after everything has compiled ok. mod_ssl: Cannot allocate shared memory: mm:core: failed to open \ semaphore file (No such file or directory) All directory permissions have checked out ok and the file is created in the logs directory of my ServerRoot. I am using a config that works ok with my previous build (apache-1.3.12/modssl-2.6.3). I am using the following versions: apache_1.3.14.tar.gz openssl-0.9.5a.tar.gz mod_ssl-2.7.0-1.3.14.tar.gz mm-1.1.3.tar.gz Should I just upgrade to openssl-0.9.6? For reference my compilation details follow for IRIX6.5 mip3 cc. NB. Everything works ok on linux-elf. Cheers, Andy cd mm-1.1.3 ./configure --disable-shared make make test cd .. cd openssl-0.9.5a ./configure irix-mips3-cc make make test cd .. cd mod_ssl-2.7.0-1.3.14 ./configure \ --with-mm=../mm-1.1.3 \ --with-apache=../apache_1.3.14 \ --with-ssl=../openssl-0.9.5a \ --enable-shared=ssl \ --enable-module=expires \ --enable-shared=expires \ --enable-module=rewrite \ --enable-shared=rewrite \ --prefix=/usr/local/apps/apache1.3.14 cd ../apache_1.3.14 make make certificate TYPE=dummy make install -- Andy Brady Email : [EMAIL PROTECTED] Web Services GroupTel : +44(0)118 9499252 E.C.M.W.F.Fax : +44(0)118 9869450 Shinfield Park, Reading, RG2 9AX Web : http://www.ecmwf.int __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Robin P. Blanchard Network Engineering Support Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Own CA
Hello, my problem is in understanding the technique used to build up a own CA, as discribed in your faq (ssl_faq.html#ToC29). i somehow get along with the signing stuff, but can't imagine how the CA would run. I mean I don't start any service. where does the client get his ok, that this public key is the right one for this site ? i'm a systemadministrator for a school in switzerland. we are building a website mainly for the students and the teachers at this school. in order to have authentification data encrypted we want to use apache (mod_ssl) under linux (suse 6.2). we don't have enough money to buy a certificate from one of the sellers, so we wanted to build our own instance (CA), in order to prevent the error message coming up if a user visits a https page. couldsomebody help us ? thank you! regards robin aly ---Robin Alyemail : [EMAIL PROTECTED]
vitural hosting dilemma
here's the basic scenario: www.somedomain.com www.otherdomain.com (CNAME for www.somedoamin.com) www.anotherdomain.com (CNAME for www.somedomain.com) in my httpd.conf i have VirtualHost www.somedomain.com:80 VirtualHost www.somedomain.com:443 VirtualHost www.otherdomain.com VirtualHost www.anotherdomain.com all, of course, have individual document roots. thus, http://www.somedomain.com works perfectly, as well as https://www.somedomain.com. http://www.otherdomain.com and http://www.anotherdomain.com also work fine. however, https://www.otherdomain.com and https://www.anotherdomain.com respond as https://www.somedomain.com. i don't want these two to respond at all to https requests. is there a way to accomplish this? -- Robin P. Blanchard Network Specialist IV Georgia Center Computer Services fon: +1 706.542.2404 fax: +1 706.542.6546 net: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
vitural hosting dilemma
here's the basic scenario: www.somedomain.com www.otherdomain.com (CNAME for www.somedoamin.com) www.anotherdomain.com (CNAME for www.somedomain.com) in my httpd.conf i have VirtualHost www.somedomain.com:80 VirtualHost www.somedomain.com:443 VirtualHost www.otherdomain.com VirtualHost www.anotherdomain.com all, of course, have individual document roots. thus, http://www.somedomain.com works perfectly, as well as https://www.somedomain.com. http://www.otherdomain.com and http://www.anotherdomain.com also work fine. however, https://www.otherdomain.com and https://www.anotherdomain.com respond as https://www.somedomain.com. i don't want these two to respond at all to https requests. is there a way to accomplish this? -- Robin P. Blanchard Network Specialist IV Georgia Center Computer Services fon: +1 706.542.2404 fax: +1 706.542.6546 net: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache+mod-ssl+PHP server not accepting connections - I'm an idiot!!
Okie, Slap me around and call me an idiot!! After a careful look through my httpd.conf I discovered that Apache was listening on port 8080 (http) and 8443 (https). After changing this to the standard ports 80 (http) and 443 (https) it is now accepting connections through http. However I am still having problems with the https section, if I try https://phaderunner.demon.co.uk:443/ on Netscape it just sits there forever waiting for a reply, if on the server I type: openssl s_client -connect phaderunner.demon.co.uk:443 -state -debug I get the output: CONNECTED(0004) SSL_connect:before/connect initialization write to 08105D80 [08105DC8] (103 bytes = 103 (0x67)) - 80 65 01 03 01 00 3c 00-00 00 20 00 00 16 00 00 .e... . 0010 - 13 00 00 0a 00 00 05 00-00 04 00 00 15 00 00 12 0020 - 00 00 09 07 00 c0 03 00-80 01 00 80 08 00 80 06 0030 - 00 40 00 00 14 00 00 11-00 00 08 00 00 06 00 00 .@.. 0040 - 03 04 00 80 02 00 80 ec-43 38 e2 6e b2 59 23 fc C8.n.Y#. 0050 - 41 eb 97 99 78 da 9e b3-ed 29 97 b3 1d 55 2a f3 A...x)...U*. 0060 - 89 5a 60 0a 4c 79 ed .Z`.Ly. SSL_connect:SSLv2/v3 write client hello A read from 08105D80 [0810B328] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY SSL_connect:error in SSLv2/v3 read server hello A 727:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:450: Does anyone know what this is and how to fix it? I would really appreciate any assistance. Thanks in advance, Robin -- SNIP huge sig... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with SSL/Apache...
depth=0 /C=NO/ST=none/L=Tonsberg/O=Syse Data/OU=Bedrift Server/CN=bedrift.sysedata.no verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=NO/ST=none/L=Tonsberg/O=Syse Data/OU=Bedrift Server/CN=bedrift.sysedata.no verify error:num=21:unable to verify the first certificate verify return:1 Mvh, For Syse Data, Robin Smidsrød Tekniker / Selger --- Jobb-relatert email: [EMAIL PROTECTED] Privat email: [EMAIL PROTECTED] Telefon jobb/privat: 33310100 / 91593393 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
compilation trouble [openssl-0.9.3a + rsaref-2.0 + mod_ssl-2.3.5 + apache-1.3.6]
trying to build apache with the ssl (with rsaref libraries) modules, and keep running into: any ideas? === src/modules gcc -c -I. -I/usr/lib/perl5/5.00503/i386-linux/CORE -I./os/unix -I./include -DLINUX=2 -DMOD_SSL=203105 -DMOD_PERL -DUSE_PERL_SSI -Dbool=char -DHAS_BOOL -I/usr/local/include -DUSE_HSREGEX -DEAPI `./apaci` modules.c gcc -c -I. -I/usr/lib/perl5/5.00503/i386-linux/CORE -I./os/unix -I./include -DLINUX=2 -DMOD_SSL=203105 -DMOD_PERL -DUSE_PERL_SSI -Dbool=char -DHAS_BOOL -I/usr/local/include -DUSE_HSREGEX -DEAPI `./apaci` buildmark.c gcc -DLINUX=2 -DMOD_SSL=203105 -DMOD_PERL -DUSE_PERL_SSI -Dbool=char -DHAS_BOOL -I/usr/local/include -DUSE_HSREGEX -DEAPI `./apaci` -L/usr/local/ssl/lib \ -o httpd buildmark.o modules.o modules/php3/libphp3.a modules/standard/libstandard.a modules/ssl/libssl.a modules/perl/libperl.a main/libmain.a ./os/unix/libos.a ap/libap.a regex/libregex.a -Wl,-rpath,/usr/lib -Wl,-rpath,/usr/local/src/php-3.0.11/../mysql-3.22.25/lib -Lmodules/php3 -L../modules/php3 -L../../modules/php3 -lmodphp3 -lpcre -lpam -lm -ldl -lcrypt -lnsl -lresolv -lm -lcrypt -lndbm -lssl -lcrypto -rdynamic -L/usr/local/lib /usr/lib/perl5/5.00503/i386-linux/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl5/5.00503/i386-linux/CORE -lperl -lnsl -lndbm -lgdbm -ldb -ldl -lm -lc -lposix -lcrypt -lgdbm -lgd -L/usr/lib -lttf -L/usr/local/src/php-3.0.11/../mysql-3.22.25/lib -lmysqlclient /usr/local/ssl/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': rsa_lib.o(.text+0x1d): undefined reference to `RSA_PKCS1_RSAref' /usr/local/ssl/lib/libcrypto.a(err_all.o): In function `ERR_load_crypto_strings': err_all.o(.text+0x3a): undefined reference to `ERR_load_RSAREF_strings' collect2: ld returned 1 exit status make[2]: *** [target_static] Error 1 make[2]: Leaving directory `/usr/local/src/apache_1.3.6/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/usr/local/src/apache_1.3.6' make: *** [build] Error 2 -- --- Robin P. Blanchard Network Specialist IV The Georgia Center for Continuing Education [EMAIL PROTECTED] --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]